<!DOCTYPE HTML>
<html>
<head>
    <meta http-equiv="Content-Security-Policy" content="script-src-attr 'unsafe-hashes' 'nonce-abc'
    'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
    <script src="/resources/testharness.js" nonce="abc"></script>
    <script src="/resources/testharnessreport.js" nonce="abc"></script>
    <script src="support/helper.js" nonce="abc"></script>
</head>
<body>
    <script nonce="abc">
    // script-src-attr CSP should not have effects because navigation CSP
    // checks are done against script-src-elem.
    // https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check
    runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)');
    </script>
</body>
</html>
